In its effort to clarify student data privacy rules for researchers and education officials alike, the U.S. Department of Education proposed several changes to the Family Educational Rights and Privacy Act, or FERPA, on Thursday and named its first chief privacy officer.
"Data should only be shared with the right people for the right reasons," U.S. Secretary of Education Arne Duncan said in a statement on the proposals. "We need common-sense rules that strengthen privacy protections and allow for meaningful uses of data. The initiatives announced today will help us do just that."
The department proposes the following changes to FERPA:
• Tighter enforcement: In the past, department officials said there has been confusion about whether agencies that received permission to work with student data—but did not collect it or work with the children directly—could be held to the same standards for protecting students' privacy. The new rules would require that everyone who has access to student data, even through an "exception" in FERPA, would still be held to the law. Those who fail to meet the requirements could see their grants withheld or be barred from student data-sharing for five years.
• Directory information protection: Rather than simply categorizing something as directory information, the department proposed that schools be allowed to have directories for limited uses, to limit the ability of marketers or identity thieves from accessing the data. For example, a school could collect data for a yearbook, like a student's name, grade, photo, and activities, but restrict that use to the yearbook itself.
• State representation: FERPA already allows districts to enter into written agreements with researchers to use data to evaluate programs, but the department also would allow states to create such agreements on behalf of multiple districts. This would allow state officials to research the effectiveness of a statewide kindergarten reading program, for example, or to compare the implementation of math coaches among districts.
• P-20 tracking: In keeping with the department's push for better college and career readiness information, it also would allow high school administrators to share student achievement data to track their graduates' academic success in college.
In addition, the department launched a new division devoted to "responsible stewardship, collection, use, maintenance, and disclosure of information at the national level within the Education Department," and will supervise the department's existing technical assistance for states and districts.
Back in November, I reported that the department had launched a new Privacy Technical Assistance Center, housed at the National Center for Education Statistics, to answer states' questions on privacy issues.
Education Department officials told me that PTAC has already gotten a lot of questions from states and districts, not just on FERPA requirements, but about more practical problems associated with the plethora of new state longitudinal data systems sprouting in the last few years: How to keep data secure, what policies to put into place to govern the use of the data, and how to safely collect and report the new information required by the fiscal-stimulus law.
The technical assistance center is developing a privacy toolkit for states, including a checklist for data privacy policies and a list of frequently asked questions. It also is coordinating regional visits and training for state officials who are building privacy protections for their states' longitudinal databases. It has released a series of briefs on common privacy issues, such as definitions and best practices, as well.
PTAC is also looking for feedback from states and districts about how to define what counts as "reasonable methods" for data security; it plans to release guidance on best practices in that area later.
The full FERPA proposal will be posted here this morning, and readers can submit comments for the next 45 days. The department hopes to release final rules by the end of the year.